Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

6/8/2021
10:00 AM
Amelia Ahlgren
Amelia Ahlgren
Commentary
50%
50%

An Answer to APP Scams You Can Bank On

Financial institutions' usual fraud-detection methods can't detect most authorized push payment (APP) scams, putting customers and banks at risk.

A coalition of organizations recently penned an open letter urging the UK government to include scams in its new Online Safety Bill.

Related Content:

3 Classes of Account Fraud That Can Cost Your Company Big Time

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: How Are Cyber Insurance Companies Assessing Ransomware Risk?

From the letter: "Online platforms play a pivotal role in enabling criminals to reach and defraud Internet users through the hosting, promotion, and targeting of fake and fraudulent content on their sites, including adverts that they make significant profits from."

The coalition's heart is absolutely in the right place. Consumers deserve better protection, and anyone who distributes, proliferates, or worse, profits from scam advertisements or content should indeed be held accountable.

But the unfortunate reality is that scam ads, emails, text messages, and phone calls continue to penetrate even the best-designed defenses.

When this happens — and it happens a lot — the communication, purportedly coming from a bank or government official, the police, or even a tax authority, drives an emotional response from the recipient.

Motivated by this emotion, as well as a sense of urgency and an inherent trust in the authority of the other party, duped consumers are spurred to act — often logging in to their own financial accounts to execute a transfer that "remedies the crisis." Banks call this authorized push payment (APP) fraud since the authorized user is the one making the transfer. For the layperson, it can simply be characterized as account transfer fraud.

In the United Kingdom alone in 2020, £479 million in losses reported by customers were attributed by banks to APP fraud, according to UK Finance.

The Challenge for Banks
The amount of losses is not a surprise. Just think about it: A bank's security stack must be able to decipher within milliseconds whether it's you or someone else knocking on the door to your online account.

But in the case of an APP scam, money is being transferred by the actual bank customer, who has been tricked into making a financial transaction, often transferring funds to accounts set up by scammers for this specific purpose in faraway places. In an APP scam, all of the bank's traditional modes of fraud detection — a trusted device, geolocation, IP address, and network — fall short.

What's worse, all the crucial elements of the setup occur outside the bank's purview — in places both online and offline that they can't track. They are completely blind to the scheme.

It's an incredibly confounding challenge for the banks (or anyone, frankly) as they try to stem losses and protect their customers.

Fining content distributors for taking in advertising dollars from scammers is a good place to start. But to protect vulnerable consumers, the banks also need a way to recognize that a scam is occurring, even though their anti-fraud systems are accurately detecting the legitimate customer operating within the account. The banks need a last line of defense at the spot where APP fraud occurs and traditional methods of security fail.

One such detection method that is rapidly being deployed to defeat these scams is behavioral biometrics. The technology got its wings confirming that the person behind a screen is who they claim to be — by continuously tracking swipes, taps, keystrokes, mouse movements, and other behavioral characteristics throughout an online session, and comparing them with preexisting customer profiles — all without interfering with the user's journey around the bank's website.

But beyond providing this kind of real-time, continuous authentication throughout a session, the latest advances in behavioral biometrics have enabled banks to recognize when a legitimate user is behaving as if under the influence of a scam, generally by deviating from their existing norms while navigating their websites.

A Challenge to Regulators
Given the effectiveness of such newly emerging technologies, regulators should also consider something more comprehensive than what the coalition proposes. For example, in addition to fining the content distributors, regulators could reward banks that adopt proven, innovative solutions, rather than relying on limited or outmoded security methods that have largely been compromised.

One way this could work is to require banks to disclose their APP fraud losses, with governments providing tax credits or other financial incentives where loss rates meet a predefined standard. The revenue lost to these incentives could be offset by fines generated from leaky content creators.

The Answer for Boards
Thanks to financial and logistical support from malevolent nation-states, today's fraudsters are becoming ever more resourceful and behaving more like criminal enterprises. Nefarious networks are rapidly replacing the standalone hacker, creating an arms race of sorts between cybercriminals and the banks whose defenses they seek to exploit.

This escalating threat has put cybersecurity front and center on corporate board agendas. With top-level responsibility now a fact of corporate life, it is hard to understand why any bank board would fail to adopt innovative technologies to achieve a secure and seamless online experience.

Amelia Ahlgren is EVP, Strategy and Operations, at BioCatch, where she is responsible for corporate strategy, development, and the BioCatch Client Innovation Board, a collective of forward-thinking banks seeking to leverage the unique attributes of behavioral data to solve ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31664
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 44741ff99f7a71df45420635b238b9c22093647a contains a buffer overflow which could allow attackers to obtain sensitive information.
CVE-2021-33185
PUBLISHED: 2021-06-18
SerenityOS contains a buffer overflow in the set_range test in TestBitmap which could allow attackers to obtain sensitive information.
CVE-2021-33186
PUBLISHED: 2021-06-18
SerenityOS in test-crypto.cpp contains a stack buffer overflow which could allow attackers to obtain sensitive information.
CVE-2021-31272
PUBLISHED: 2021-06-18
SerenityOS before commit 3844e8569689dd476064a0759d704bc64fb3ca2c contains a directory traversal vulnerability in tar/unzip that may lead to command execution or privilege escalation.
CVE-2021-31660
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 85da504d2dc30188b89f44c3276fc5a25b31251f contains a buffer overflow which could allow attackers to obtain sensitive information.